HomeAnalyticsAlertsData Protection Enforcement in Chile: Recent Regulatory Actions

Data Protection Enforcement in Chile: Recent Regulatory Actions

Chile's data protection regime has entered a markedly stricter enforcement phase. International companies operating in Chile – whether as a data controller or a data processor – now face a meaningfully higher risk of regulatory scrutiny. Enforcement actions by Chilean authorities have escalated in frequency and financial consequence. Businesses that have treated Chilean data protection obligations as secondary to their GDPR compliance programmes are exposed.

Chile's data protection legislation was substantially amended through a comprehensive reform that took effect in 2024, introducing mandatory registration requirements, reinforced consent mechanisms, and strengthened rules on cross-border data transfer. The reform established a dedicated data protection authority – the Agencia de Protección de Datos Personales (Data Protection Agency of Chile, or DPA) – with independent sanctioning powers. Companies processing personal data of Chilean residents must align their operations with the updated rules or face administrative penalties within compliance deadlines that are now running.

This alert sets out what changed, which businesses are affected, and the concrete steps international companies should take without delay.

What changed and when it took effect

Chile's reformed data protection legislation represents the most significant overhaul of the country's privacy rules in over two decades. The prior regime – dating to the late 1990s – was widely regarded as insufficient for the digital economy. The reform addressed that gap directly.

The core changes include the following. First, the legislation formally established the DPA as an independent enforcement body with authority to investigate complaints, conduct audits, and impose administrative sanctions. Second, the concept of lawful bases for personal data processing was recast. Consent must now be freely given, specific, informed, and unambiguous – closely mirroring the standard established in European data protection legislation. Third, new rules govern cross-border data transfer: transfers to jurisdictions without an adequate level of protection require either standard contractual clauses, binding corporate rules, or explicit DPA authorisation.

Fourth, data subjects in Chile now hold a consolidated set of rights: access, rectification, erasure, portability, and objection. Data controllers must respond to exercise requests within defined timeframes. Fifth, mandatory breach notification obligations apply: companies must notify the DPA of qualifying personal data breaches within a period of 72 hours from discovery. a timeline that mirrors international practice but is new to Chilean law.

The reform entered into force progressively. The structural provisions – including the DPA's establishment – became effective in 2024. Transition periods for certain operational compliance requirements ran through early 2025. As of the date of this alert, all principal obligations are operative and enforceable. The DPA has confirmed it is conducting active compliance reviews and has published enforcement priorities for the current calendar year.

For international companies with AI-driven data processing operations in Chile, the intersection of these rules with emerging technology regulation adds an additional compliance dimension. Our analysis of AI and technology law obligations in Chile addresses how algorithmic processing and automated decision-making interact with the updated data protection regime.

Which businesses are affected and the threshold criteria

The reformed legislation applies broadly. Any entity – Chilean-incorporated or foreign – that processes personal data of individuals located in Chile falls within scope. There is no minimum revenue or employee threshold that excludes smaller operators. The determining factor is whether personal data of Chilean residents is processed, regardless of where the processing organisation is established.

The following categories of international business face the greatest immediate exposure.

  • E-commerce and retail platforms processing Chilean consumer data – including purchase history, behavioural profiles, and payment information.
  • Financial services and fintech companies subject to both the DPA's oversight and sector-specific financial regulation.
  • SaaS and cloud service providers acting as data processors on behalf of Chilean business clients – processor obligations are now explicitly codified.
  • Healthcare and pharmaceutical groups handling sensitive personal data, which attracts a heightened compliance standard under the legislation.
  • HR and payroll platforms processing employee data for Chilean workforce operations of multinational groups.

The legislation draws a clear distinction between a data controller. the entity that determines the purposes and means of processing – and a data processor – the entity that processes data on the controller's instructions. Both roles carry distinct obligations. Controllers bear primary accountability. Processors must operate under a written data processing agreement and may not act outside the controller's documented instructions.

Companies that assumed their GDPR compliance programmes would satisfy Chilean requirements should reassess that assumption. The Chilean rules share structural similarities with European data protection legislation, but local consent mechanism requirements, data localisation considerations, and DPA registration procedures differ in material respects. A gap analysis against Chilean-specific rules is required.

To receive an expert assessment of your data protection exposure in Chile, contact us at info@ferrazwhitmore.com.

Immediate actions required for international companies

The DPA has signalled that it will prioritise enforcement against companies that have made no demonstrable effort to comply with the updated rules. The following five actions should be initiated without delay.

1. Conduct a Chilean-specific data mapping exercise. Identify every category of personal data processed in connection with Chilean residents. Map the legal basis relied upon for each processing activity. Verify that existing consent mechanisms meet the updated standard – general or pre-ticked consent boxes will not satisfy the legislation's requirements.

2. Audit cross-border data transfer arrangements. If personal data collected in Chile is transferred to servers or group entities in other jurisdictions, assess whether an adequate legal basis for that data transfer exists under Chilean law. Standard contractual clauses may need to be adapted to reference the Chilean legislative regime specifically – European-law SCCs alone are insufficient.

3. Review and update data processing agreements. Any vendor, cloud provider, or group entity acting as a data processor must operate under a written agreement that satisfies the reformed legislation's requirements. Existing DPA agreements drafted under the prior regime or under GDPR templates should be reviewed and updated.

4. Establish a breach notification procedure. The 72-hour breach notification timeline requires an internal response protocol to be in place before an incident occurs. Designate a responsible team, define escalation triggers, and prepare a notification template aligned with the DPA's published guidance.

5. Implement a data subject rights handling process. Chilean data subjects may now formally exercise access, rectification, erasure, portability, and objection rights. Companies must have a documented procedure for receiving, verifying, and responding to such requests within the statutory deadline. Failure to respond is itself a sanctionable breach.

Companies operating across multiple jurisdictions in the Americas should note that enforcement trends in Chile are part of a broader regional shift. A comparative analysis of data protection enforcement actions in the United States provides useful context for benchmarking regional compliance strategies.

A comprehensive overview of the firm's data protection advisory services in Chile – including regulatory registration support, DPA liaison, and cross-border transfer structuring – is available at data protection law services in Chile.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising clients across 46 jurisdictions on data protection compliance, regulatory enforcement, and cross-border privacy strategy. Our data protection practice covers both civil law and common law systems, enabling us to support multinational clients whose operations span multiple regulatory regimes simultaneously. Engaging a lawyer in Chile with cross-border data protection experience is particularly valuable when consent mechanism requirements. Data transfer rules. Additionally, DPA registration obligations differ materially from the European standards your compliance team may be more familiar with. As an international law firm advising on Chilean data protection matters, Ferraz & Whitmore provides gap analysis, documentation review, DPA registration support, and incident response planning for international businesses of all sizes. To discuss your compliance position in Chile, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.